India's historic Digital Personal Data Protection Bill is one step away from becoming law

The Digital Personal Data Protection bill was passed in the Rajya Sabha on Wednesday. Minister for Electronics & Information Technology, Ashwini Vaishnaw, tabled the bill in the Lok Sabha and it got passed on August 7. The bill now requires the assent of the President of India Draupadi Murmu. 

Vaishnaw thanked PM Modi and both houses for clearing the bill and giving India its 'landmark DPDP Bill'. In a tweet, he said, "Thanks to all the stakeholders who engaged in the extensive consultations and all the hon’ble members of both the houses of Parliament for giving this landmark DPDP Bill to the nation."

Also, thanks to all the stakeholders who engaged in the extensive consultations and all the hon’ble members of both the houses of Parliament for giving this landmark DPDP Bill to the nation.#DPDPBillPassed

— Ashwini Vaishnaw (@AshwiniVaishnaw) August 9, 2023

The main aim of the 2023 Digital Personal Data Protection Bill is to create a comprehensive structure safeguarding personal data. This structure encompasses personal data gathered within India, encompassing both digitally transformed online and offline data. Additionally, the bill's provisions will be relevant if data processing takes place beyond India's borders but includes providing goods or services to individuals within the nation.

Key Highlights of the 2023 Digital Personal Data Protection Bill encompass:

Data Security: Entities entrusted with user data must ensure the safeguarding of personal information, even when stored with third-party data processors.

Data Breach Notification: In case of a data breach, companies are obligated to promptly notify both the Data Protection Board (DPB) and affected users.

Special Provisions for Minors and Individuals with Disabilities: Processing the data of minors and individuals under guardianship requires explicit consent from their guardians.

Appointment of Data Protection Officer (DPO): Companies are compelled to designate a Data Protection Officer and share their contact information with users.

Government Authority over Data Transfer: The bill grants the central government the power to regulate the transfer of personal data to foreign countries or territories beyond India.

Appeals Mechanism: Disputes arising from DPB decisions will be reviewed by the Telecom Disputes Settlement and Appellate Tribunal.

Authority of the DPB: The DPB possesses the jurisdiction to summon and examine individuals under oath, scrutinize documents of companies managing personal data, and recommend the blocking of access to intermediaries that repeatedly violate the bill's stipulations.

Applauding the Govt's move Supratim Chakraborty, Partner at Khaitan & Co. said, "This Bill, currently pending presidential assent, is poised to reshape how businesses handle personal data within India. Notably, the Bill introduces a negative-list approach for cross-border data transfers, allowing data flow to all jurisdictions by default, unless expressly prohibited. However, stricter local laws governing data transfer will take precedence."

Also read: ‘Will regulate AI,' says MoS IT Rajeev Chandrasekhar on Digital India Bill

Shreya Suri, Partner, INDUSLAW said, "As we inch closer to the long-awaited personal data protection legislation reaching ‘enactment’ status, there are still some gaps which would necessarily need to be addressed. For instance, the bill does not indicate the kind of security safeguards which need to be adopted by data fiduciaries for preventing data breaches, to be considered as  ‘reasonable’, although a hefty penalty of up to INR 250 crores has been prescribed for non-compliance with this requirement."

She further added, "Gaps aside, the Bill is still a huge positive step towards India meeting the global adequacy requirements, and despite exemptions granted to state instrumentalities in certain limited instances, minimum standards for processing will still be required to be implemented."

Also read: 'Misinformation tends to travel faster than truth': MoS IT Chandrasekhar on need for Digital Data Protection Bill